Browse Source

[mod_cgi] do not send "Status" back to client

"Status" from CGI/1.1 environment should not be sent back to client.

Also, do not send "Status" back to client in mod_scgi
and more precisely parse for "Status" in mod_fastcgi
personal/stbuehler/mod-csrf
Glenn Strauss 5 years ago
parent
commit
7f9209c6d4
  1. 2
      src/mod_cgi.c
  2. 2
      src/mod_fastcgi.c
  3. 2
      src/mod_scgi.c

2
src/mod_cgi.c

@ -352,6 +352,8 @@ static int cgi_response_parse(server *srv, connection *con, plugin_data *p, buff
} else {
con->http_status = 502;
}
/* do not send Status to client */
buffer_reset(ds->value);
}
break;
case 8:

2
src/mod_fastcgi.c

@ -2077,7 +2077,7 @@ static int fcgi_response_parse(server *srv, connection *con, plugin_data *p, buf
/* authorizers shouldn't affect the response headers sent back to the client */
/* don't forward Status: */
if (0 != strncasecmp(key, "Status", key_len)) {
if (key_len != sizeof("Status")-1 || 0 != strncasecmp(key, "Status", key_len)) {
data_string *ds;
if (NULL == (ds = (data_string *)array_get_unused_element(con->response.headers, TYPE_STRING))) {
ds = data_response_init();

2
src/mod_scgi.c

@ -1742,6 +1742,8 @@ static int scgi_response_parse(server *srv, connection *con, plugin_data *p, buf
} else {
con->http_status = 502;
}
/* do not send Status to client */
buffer_reset(ds->value);
}
break;
case 8:

Loading…
Cancel
Save